WLC School for Network Admin’s Who Can Read Real Good: Part 1

So the day started out normally, servers were humming along, projects were running on schedule, no one was complaining about the network speeds… ok, so it wasn’t that normal after all; but I digress. I had a meeting with some folks and received a set of specifications for some software we were to utilize for medical records. Lo and behold in the requirements was the necessity for a network connection whenever the application was to be used. We had nothing in place for that but thick concrete and broken dreams.

After reviewing the requirements and workflow a little deeper our team began to see a light at the end of the tunnel. We began to see that we only needed connection in the medical service areas, and not everywhere in between. We can do this, and not only deliver for the medical folks but begin building a foundation of an empire… or at least of a wireless infrastructure.

A few key factors drove us to our final conclusion. One, we knew that to cover the necessary areas with a strong signal we would need quite a few access points. That single nugget of knowledge leads us to a second criterion: central management. Fortunately I have had several installations utilizing the Cisco 4400 series WLC’s and between personal experience and the need for centrally managed wireless, Cisco was an easy starting point.

As I said before, I had planned on using my previous experiences with the 2100 and 4400 WLC’s to create a smooth introduction to the wonders of wireless. First I took a look at the new 5500 series WLC and was very happy with a couple key components.

Licensing is software driven, not hardware driven. It can be expanded to support more AP’s with a licensing key.

There is a single management interface (in the past there was a Management interface as well as an AP Management interface, using 2 IP’s normally on the same network.

OfficeExtend which creates a secure tunnel between an AP, presumably at a teleworker site, and the main Controller.

***REMEMBER TO ORDER THE GBIC’S*** there are no usable Ethernet ports available on any of the Enterprise WLC’s

So I said sign me up.

One of the things to consider once you have decided on wireless (any wireless) is what your network needs will be, that will determine the method of security and the availability of that network throughout your enterprise. In my scenario I had the need for the following:

Department

Terminal Type

Employee

Security Type

DB Location

Agency PC

Domain Member

Yes

PEAP

Radius (AD)

Medical

Embedded

Yes

WPA2

PSK

Guest

PC Off Domain

No

Webauth

Local

Employee

PC Off Domain

Yes

Webauth

Radius (AD)

Each of these four scenarios represents a different approach. We will visit each of those here. Part 1 will be the initial setup of the WLC box, Radius, and the Core Switching, Part 2 will be PEAP authentication, Part 3 will be WPA2 with PSK, Part 4 will be Webauth with Local Authentication DB and finally Part 5 will be Webauth with Radius Authentication.

Part 1

In this Scenario we are using the above network information to build out our initial Wireless Infrastructure. The setup will be similar regardless of what elements you have in the mix but just to cover my bases I am working on a Windows Server 2003 Enterprise R2 32-bit Domain Controller, a Cisco 3560E running IOS 12.2(35)SE5, Cisco CT5508 running 6.0.182.0, and Aironet 1142N LWAP’s with the 12.4(21a)JA IOS running on them. From here on I will reference the 5508 as the WLC, the Server as the DC, the 3560E as the Core and the 1142’s as the AP’s. Now on to the nitty-gritty…

Server 2003 DC Configuration

In this scenario we are using Microsoft Active Directory to provide AAA information to the requesting entity (the WLC). The specific service which will be handling this is the IAS service or Internet Authentication Service. With that said, go to Control Panel -> Add or Remove Programs -> Add/Remove Windows Components. When the Windows Components Wizard window opens, scroll down to Networking Services, select it and move down to Internet Authentication Service, click the checkbox and click the “OK” button. Click “Next” then “Finish” to wrap it up.

You must also set up Certificate Services which means you might as well set up IIS (Internet Information Services) which will allow you to web enroll certificates. So the first step is to go back into Control Panel -> Add or Remove Programs -> Add/Remove Windows Components. When the Windows Components Wizard window opens, scroll down to Application Server and select it, click the “Details” button, and on the “Application Server” Window scroll down to Internet Information Services (IIS) and check the box (it will appear as a light grey, that’s OK. Click the “OK” button, Followed by “Next” and “Finish”.

To set up Certificate Services you must be on a DC. Additionally you will be unable to rename the machine or change its Domain membership without killing all the Cert’s you have issued. You will get a much longer version of that on the popup. At which you say ok and move on. This will be an Enterprise root CA, select that radio button and choose “Next”.

For the Common Name, I usually stick with the hostname of the server in question.

Then choose defaults for the rest of the wizard. *POOF* you now have a Self-Signed Certification Authority.

Now that you have all the requisite servers in place we will need to make sure they play fairly together. Go to the IAS console via Administrative Tools -> Internet Authentication Service. On this window we will begin tying our elements together.

First you must integrate IAS with AD. You will do so by right-clicking on “Internet Authentication Service (Local)” and choose the “Register the Server in Active Directory” menu choice. Next you will right-click on RADIUS Clients” and choose the “New RADIUS Client” option. In the window that appears populate your information and click “Next”.

In this window, leave the Client-Vendor: drop down on RADIUS Standard. Choose a shared secret (keep this key in mind, we will enter it on our WLC) I am choosing $WLC$ecret007.

Once you click “Finish” the new Client will appear in the IAS

Next I like to remove all the default Access Policies and add my own. The thing to remember about Access Policies is that it works from the top down (like most ACL’s). Each Access Policy will be unique to the scenario that we are driving, meaning that we will not be doing the Access Policy just yet.

Next we have the Core, nothing too big there. The hardest part is the DHCP portion to allow for the AP’s to get the proper WLC settings. The segment is color-coded for sanity’s sake. From Cisco’s site:

The hex string is assembled by concatenating the TLV values shown below:

(hex). Length is the number of controller management IP addresses times 4 in hex. Value is the IP address of the controller listed sequentially in hex.

The relevant info is as follows:

ip dhcp pool SERVERS

network 10.1.10.0 255.255.255.0

default-router 10.1.10.1

dns-server 10.1.10.10

option 60 ascii “Cisco AP c1140″

option 43 hex f104.0a01.0a0a

interface Port-channel1

description LAG Connection to WLC 5508

switchport trunk encapsulation dot1q

switchport trunk allowed vlan add 10

switchport mode trunk

interface GigabitEthernet0/10

description connection to 5508 WLC

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode on

interface GigabitEthernet0/11

description connection to 5508 WLC

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode on

interface Vlan10

description Servers

ip address 10.1.10.1 255.255.255.0

no shutdown

vlan 10

name Servers

state active

We will be adding bunches to the core once we get into each scenario. At this point we are only trying to get the bare essentials for communication between the key devices.

Start with the WLC OFF. Now the 5508 gives several choices for the initial configuration, for us, we are using the console port. The cables came with the appliance. The settings are standard Cisco VT-100 and are as follows:

9600 baud

8 data bits

1 stop bit

No parity

No hardware flow control

Power On the console.

Enter the Controller Name:

Enter the Administrator Username/password (the default is admin/admin)

Enter DHCP

Yes to LAG (Plug port 1 and 2 GBIC’s to the Core port G0/10, G0/11)

Enter the Management Interface IP: 10.1.10.50

Enter the Management Interface Mask: 255.255.255.0

Enter the Default Router IP: 10.1.10.1

Enter the VLAN identifier of the management interface: 10

Enter the IP of the default DHCP server that will supply IP addresses to clients: 10.1.10.50

Enter the IP of the virtual interface: 1.1.1.1

Enter the name of the mobility group/RF group: WIFI

Enter the network name: WIFI

To Require clients to request an IP address from a DHCP server: NO

Configure a RADIUS server : YES

Enter RADIUS Server IP: 10.1.10.10

Enter RADIUS Server Port: 1812

Enter Secret Key: $WLC$ecret007

County Code: US

802.11b: YES

802.11a: YES

802.11g: YES

RRM: YES

NTP: YES, enter time server IP:10.1.10.10

That sums up the wizard. Now it should be able to communicate with the core and the AAA server and the AP’s.

And that sums up Part 1, the Infrastructure. We will get more scenario specific in the next part.